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Abstract 

We identify a subtle error in LTL formulas reduction method used as 
one optimization step in an LTL to Biichi automata translation. The error 
led to some incorrect answers of the established model checker DiVinE. 
This paper should help authors of other model checkers to avoid this error. 

A translation of Linear Temporal Logic (LTL) formulas into language equiv- 
alent Biichi automata is an important part of all LTL model checkers. The 
translation is exponential in the length of the translated formula. As the size 
and shape of the produced automaton can greatly affect running time of other 
parts of the model checking algorithms, many improvements of standard trans- 
lations emerged. Some of the improvements modify an input LTL formula in 
order to reduce its size and number of modal operators. Unfortunately, the 
modification suggested in [5] contains an error: it can produce a smaller but 
non-equivalent formula. 

The error is in the definition of pure eventuality formulas. 

Quotation of Definition 2 of [2]. The class of pure eventuality formulas are 
ined as the smallest set of LTL formulas (in negation normal form) satisfying: 

• Any formula of the form Ftp is a pure eventuality formula. 

• Given pure eventuality formulas and ifei an d 7 an arbitrary formula, 
each of tpi V ip2, ipi A if>2, ipi U 7, Gtpi, ipi Rip2> cind Xipi is also a pure 
eventuality formula. 
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No. 201/08/P375 (Jan Strejcek). 
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The paper [5] claims that all pure eventuality formulas define left-append 
closed languages, where a language L is left-append closed if for all w G S w 
and v G X*: if 10 G L, then vw G L. One can easily disprove this claim. For 
example, ip = (Fb) U c is a pure eventuality formula and L(tp) is not left-append 
closed as c" G L(ip) and a.c^ L(ip). 

Invalidity of the claim causes invalidity of the Basic Operator Reduction 
Lemma, which directly describes the reduction steps. We recall only the part 
of the lemma related to pure eventuality formulas. 

Quotation of Lemma 3 (Basic Operator Reduction Lemma) of [2\, 
Item 4. For all LTL formulas ip and pure eventuality formulas ip, the following 
equivalences hold: (ip{Jtp) = ip and Ftp = ip. 

Using the reduction lemma, one can reduce the formula a U ((fb) U c) into 
(Fb) U c. However, the formulas are not equivalent as a.c u \= a U ((F6) U c) while 
a.c u \£ (Ffe)Uc. Similarly, F((F6)Uc) can be reduced into a non-equivalent 
formula (F6) U c. In general, only the implications (ip U ip) <= ip and Ftp <= ip 
hold. Hence, if an LTL to Biichi automata translation employs this reduction, 
then there can be a word satisfying an input formula but not accepted by the 
resulting automaton. In the context of model checking, input formulas represent 
incorrect behaviours. Thus, the resulting automaton can represent a smaller set 
of incorrect behaviours than the input formula specifies. As a result, a model 
checker with such a translation can state that a system is correct even if it is 
not. 

We have detected exactly this kind of error in all versions of the model 
checker DiVinE pQ developed during the last five years, i.e. DiVinE version 2.2 
and DiVinE Cluster version 0.8.2 and all older versions. The bug has been fixed 
with our assistance. The fix will appear in the upcoming versions of DiVinE 
family tools. 

Incorrectness of the claim is caused by the part of the definition saying that, 
for a pure eventuality formula ip\ and an arbitrary formula 7, ipi U 7 is also a 
pure eventuality formula. To fix it, it is sufficient to replace ip\ U7 by 7 U ip\. 
The proof is straightforward. 

A careful researcher can found that on Etessami's web page, there is a ref- 
erence to [5] leading to a PostScript file [3J, which is a slightly different version 
of [2]0 In [3J, the definition of pure eventuality formulas is repaired in the 
following way: 

Quotation of Definition 2 of [3]. The class of pure eventuality formulas are 
defined as the smallest set of LTL formulas (in negation normal form) satisfying: 

• Any formula of the form Ftp is a pure eventuality formula. 

• Given pure eventuality formulas tpi and ipi, each of ipi V 1P2, ipi A ip2, 
ipi U ip2, Gipi, ip\ Rip-2, and Xipi is also a pure eventuality formula. 

1 As the differences between [5] and [3] are minor and [3] does not contain any reference 
to the conference version, one tends to think that _3 is a preprint of [2] rather than a full 
version. 
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Here, the set of pure eventuality formulas is strictly smaller than the one 
defined in [2] and, in context of this new definition, the mentioned claim holds 
(in fact, [3] contains a proof). Consecutively, also Basic Operator Reduction 
Lemma is correct in this setting. 

We note that the set of pure eventuality formulas according to Definition 2 of 
[3] is significantly smaller than the one obtained by the mentioned replacement 
of "01 U 7 by 7 U f/ 1 ! . In spite of this, the reduction of LTL formulas presented 
in [3J is not weaker. The reason is that the Basic Operator Reduction Lemma 
allows to reduce all the formulas of the form 7 U ipi totpi. Hence, the final effect 
of the reduction is the same in both cases. 
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